1. Field of the Invention
This invention pertains in general to computer security and in particular to detecting malicious software.
2. Description of the Related Art
There is a wide variety of malicious software (malware) that can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing websites. Malware can, for example, surreptitiously capture important information such as logins, passwords, bank account identifiers, and credit card numbers. Similarly, the malware can provide hidden interfaces that allow the attacker to access and control the compromised computer.
Modern malware is often targeted and delivered to only a relative handful of computers. For example, a Trojan horse program can be designed to target computers in a particular department of a particular enterprise. Such malware is difficult for security software to detect because there are fewer instances of the same malware, and the security software might not be configured to recognize it. Moreover, even mass-distributed malware is becoming harder to detect because the malware can contain polymorphisms designed to evade detection.
In response to the increasing difficulty of detecting malware, security software is evolving toward heuristics-based detection. This type of detection uses a set of heuristics, such as descriptions of behaviors that are indicative of malicious behavior, to identify malware. Heuristic-based detection can work well, but has drawbacks in some environments. For example, behavior-based heuristics require that the potential malware be allowed to execute in order to exhibit the behaviors that are then flagged as malicious. This requirement renders heuristic-based detection unsuitable for environments where the malware does not execute, such as in routers, firewalls, and other computers that are using network traffic filtering to scan for malware “on-the-wire.” Moreover, heuristic-based detection capabilities are not present in all environments where malware may execute, meaning that computers in these environments are still susceptible to attack.